i did an analysis on the trojan horse that was hidden
in the recent portable version of openssh (3.4p1)
it could be found(and still can be) on ftp.openbsd.org
and his mirrors.
in openssh-3.4p1/openbsd-compat a c-file "bf-test.c" has been added
it tells you it has to check for correct handling in HP-UX PL.2
systems .. which is in fact 100% rubbish
[PL.1 has been horrible .. so what could PL.2 be? :-]
in openssh-3.4p1/openbsd-compat "Makefile.in" has been edited to
respect these changes
when running make "bf-test.c" compiles to a program which has a
shell-script as output
the shellscript outputs a c-programm and trys really hard to get it
compiled .. and run
the c-programm connects to a computer in australia(203.62.158.32)
and starts a shell locally if asked by the other computer
[ i have not started this programm .. but the server seems
to have closed the port 6667(could be a firewall in between though)
{this computer probably has been attacked beforehand}]
in my opinion this is a really serious attack
. as i have to say:
1.) i do not often check signatures an packets i install
1.a) especialy i wouldn't have thought about the possibility
that someone might be able to get access to ftp.openbsd.org
(ok this is a sun-os machine at the university of alberta)
2.) i normaly run make on a computer reachable by the net
3.) sometimes one is lazy and just runs make && make install as root
christian bahls